Millions of Wawa Customers Data Breached — Now Selling on Dark Web

Wawa has acknowledged reports that credit card information stolen in a data breach in 2019 were being sold on the dark web.

The convenience store chain announced before Christmas that its information security team discovered malware on its payment processing servers on Dec. 10, and stopped the breach on Dec 12. The company believes the malware was collecting card numbers, customer names and other data as early as March 4.

In its first comment in over a month about the breach, the company said it "became aware of reports of criminal attempts to sell some customer payment card information potentially involved in the previous Data Security Incident announced by Wawa on December 19, 2019."

Two websites that focus on internet security, Krebs on Security and Gemini Advisor, reported on Tuesday that a site called “Joker’s Stash” claimed 30 million accounts would soon be available for sale from a “new huge nationwide breach" it called BIGBADBOOM-III.

Gemini Advisor reported that only a "small portion" of the accounts were up for sale and were from mostly from Florida and Pennsylvania.

Wawa in its new statement said that it remains confident "only payment card information was involved, and that no debit card PIN numbers, credit card CVV2 numbers or other personal information were involved. This incident did not impact ATM transactions."

The company said it directed its payment card processor, payment card brands, and card issuers "to heighten fraud monitoring activities.” The company also encouraged customers to report any fraudulent activity and to sign up for free credit monitoring and identity theft protection it is offering.

A bank spokesman would not confirm the number of new cards closed but said that "when deemed appropriate, as was the case in the Wawa data breach, we will protect our affected customers by issuing new debit cards."